The Next Big Cyber-Attack Vector: APIs

With cyber-attacks on enterprise networks becoming more sophisticated, organizations have stepped up perimeter security by investing in the latest firewall, data and endpoint protection, as well as intrusion prevention technologies. In response, hackers are moving to the path of least resistance and looking for new avenues to exploit. Many security experts believe the next wave of enterprise hacking will be carried out by exploiting Application Programming Interfaces (APIs).

In fact, cyber adversaries are already targeting APIs when planning their attacks. The data breach at Panera Bread is a good example. The bakery-café chain left an unauthenticated API endpoint exposed on its website, allowing anyone to view customer information such as username, email address, phone number, last four digits of the credit card, birthdate, etc. Ultimately, data belonging to more than 37 million customers was leaked over an eight-month period. This raises the question on how to minimize the growing cyber security risk associated with APIs without hampering the benefits they provide in terms of agile development and expanded functionality.

API usage in application development has become the new de facto standard, whereby developers take advantage of integrating functionality from third-party provided services rather than building all the capabilities they need from scratch. This allows for a more agile development process for new products and services. According to a One Poll study, businesses on average manage 363 different APIs, and two-thirds (69 percent) of those organizations are exposing their APIs to the public and their partners. Developers can augment their code by searching API libraries such as API Hound, which uses machine scanners to find its 50,000+ APIs, or ProgrammableWeb, which maintains the world’s largest hand-curated directory of APIs — now measured at over 17,000.

While APIs support the interactive digital experiences users have gotten used to and are fundamental to a business’ digital transformation, they provide hackers with multiple venues to access an organization’s data and can even be used to cause massive business disruptions. Common attack methods being used to exploit APIs include:

● API Parameter Tampering - Hackers are often use this technique to either reverse engineer an API or gain further access to sensitive data.

● DDoS Attacks - Poorly written code can be used to consume computer resources by sending invalid input parameters, subsequently causing a disruption to the API-supported Web application.

To minimize their exposure to API-based threats, organizations should take the following precautions:

1. Think Security

Unfortunately, DevOps security – or DevSecOps as it is now called – is often underrepresented in the software development process, including securing public-facing APIs. Developers need to consider the security implications of API usage within the overall development process, including ways in which APIs can be used for nefarious purposes.

A fundamental component in securing APIs lies in implementing solid authentication and authorization principles. For APIs, developers commonly use access tokens that are either obtained through an external process (e.g., when signing up for the API) or through a separate mechanism (e.g., OAuth). The token is passed with each request to an API and is validated by the API before processing the request.

2. Apply Common Industry Security Best Practices and Standards

Abiding to coding best practices and keeping tabs on the most common API vulnerabilities (e.g., SQL/script injections and authentication vulnerabilities) should be a core best practice for developers and DevSecOps personnel. The Open Web Application Security Project (OWASP) is a good source for this type of information.

3. Monitor via API Gateway

When disparate APIs are stored in an applications code base, an API gateway can be used to monitor, analyze and throttle traffic to minimize the risk of DDoS attacks, and enforce preset security policies (e.g., authentication rules). According to One Poll, 80 percent of organizations use a public cloud service to protect the data behind their APIs with most businesses using the combination of API gateways (63.2 percent) and Web application firewalls (63.2 percent).

Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).